An insidious new form of Android malware detected in the wild deploys a cryptocurrency miner that can actually cause physical damage to phones, according to a newly published report.

Dubbed “Loapi” by security researchers at Kaspersky Lab, the trojan malware is spread via porn sites and fake malware apps. So far, it’s believed to have successfully infected over 46,000 phones in 86 countries, with the number continuing to grow.

Once on a targeted device, Loapi repeatedly seeks administrative permissions from a victim until they are accepted, working on the concept that users will eventually agree to the prompts so as to be rid of them. Once they do so, the malware hijacks the phone’s processor to mine for the Monero cryptocurrency.

Cryptocurrency mining, the process by which transactions are verified and added to the public ledger, involves compiling recent transactions into blocks and trying to solve a computationally difficult puzzle, with those mining the given currency rewarded for their efforts with coins or tokens in that cryptocurrency.

The process involves computing power, and that’s where the problem with Loapi lies. The malware uses so much processing power on an infected device that it can actually damage and even destroy it. According to the researchers, the malware hit their test device so hard that “the battery bulged and deformed the phone cover.”

“The surprisingly unexpected risk which this malware brings is that even though it can’t cause direct financial damage to the user by stealing their credit card data, it can simply destroy the phone,” they wrote Monday. “This is not something you would expect from an Android trojan, even a sophisticated one.”

Loapi itself can be used for other purposes, including launching distributed denial-of-service attacks, ad hijacking and data theft, though those activities don’t kill a victim’s phone.

Android users are, as always, advise to practice safe internet. Along with having up-to-date antivirus software installed on their phones, they should always be wary of downloading apps from unofficial stores and refuse to accept requests for administrative permission from unknown apps.

Photo: Kaspersky Lab